At the end of last year, the Court of Justice of the European Union ruled that the EU Safe Harbour Decision (permitting the transfer of personal data to the US) was invalid as the US did not provide an adequate level of protection of personal data within the meaning of Article 25 of Directive 95/46.
The Protection of Personal Information Act 4 of 2013 (POPI) includes similar “safe harbour” language for the cross-border transfer of personal information. In this insight we provide a brief overview of the requirements to transfer personal information to a third party in a foreign country under POPI.
POPI is the first piece of legislation in South Africa that deals specifically and fully with the protection of personal information. The commencement of POPI (the date of which is yet to be proclaimed) will require a complete reform of the manner in which entities process personal information to ensure compliance with POPI, particularly the transfer of such information to another country.
Transfer of personal information outside South Africa
POPI prohibits the transfer of personal information to a third party who is in a foreign country unless such transfer falls within the ambit of certain exemptions.
These exemptions include the transfer of personal information to a third party who is subject to a law, binding corporate rules or binding agreement which provides an “adequate level of protection” that:
- effectively upholds the principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
- includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country.
POPI does not specify which countries have laws that provide an adequate level of protection or the manner in which such countries will be identified. Further clarity may be available when regulations are published pursuant to POPI. Accordingly, it would be prudent for entities to rely on agreements that provide for adequate levels of protection or binding corporate rules for the transfer of personal information out of South Africa (unless the transfer falls within one of the other categories).
“Binding corporate rules” is defined in POPI as personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country. Accordingly, it appears that the binding corporate rules exemption will only apply to entities that are transferring personal information to entities within the same group.
Other exemptions to cross-border transfers
In addition to the safe harbour type exemption referred to above, the cross-border transfer of personal information is permitted if:
- the data subject consents to the transfer;
- the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
- the transfer is for the benefit of the data subject, and:
- it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
- if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.